View Single Post
  #4   (View Single Post)  
Old 2nd July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,635

Do you have a colander? Maybe, maybe not. Things to think about:

Password authentication

As I mentioned above, I don't think passwords are good security.

How strong is your "admin" password? Any 8-character password can be broken by brute-force in a matter of days; if a dictionary attack is used and the password contains words or word fragments, it can be broken in a weekend. That's not good.

My recommendation: disable password authentication, and use alternative authentication methods.

OpenBSD supports many authentication technologies (see login.conf(5) for most), including Kerberos and physical token systems. For simplicity with SSH, I happen to like public key authentication when keys can be stored remotely, and S/Key one-time-use passphrases when they can't (see skey(1) and related man pages).

Sudo limitations

You are allowing vi(1) to be executed as root. Once in the editor, the "admin" user can request a shell, and they will then have a root shell without restriction and without audit history.

If you are trying to limit what "admin" can do, you must only permit the execution of programs that that do not allow shell escapes.


If you are "admin" and you are trying to limit damage should someone acquire the password .... your best solution is to not use passwords, or not use them alone.

Current commercial best practice is to require binary authentication -- two different things:
  1. Something you have (token device, binary key, biometric, etc.)
  2. Something you know (passphrase, password, PIN, etc.)
Reply With Quote